Post on 11-Mar-2020
A Market-basedApproach to
Software EvolutionDavid F. Bacon *
Yiling ChenDavid ParkesMalvika Rao
Harvard University
* IBM Research
Bugs are Everywhereannoying, costly, dangerous
“Software Crisis” (F. L. Bauer)First NATO Software Engineering Conference, 1968
A Tradition of Failure
Formal Methods
Specs & Proofs
Model Checking
Fatal Flaws:
• Rely on Spec
•Don’t Scale
Software Engineering
Methodology
Process
Fatal Flaws:
• Not Quantitative
• Degenerates to Religion
Bugs Have a“Long Tail”
These get fixed… maybe These don’t
security bugsB
ug F
ix V
alue
HOW DO BUGS GET SORTED??
Bugs sorted by Value
HOW ARE COSTS DETERMINED??
Users and Developers Are Isolated From Each Other
...deliberatelybecause feedback can’t be accumulated automatically
Can a Market Help Solve This Problem?
xkcd
Large supply of work
Large supply of capable workers
Real value for performing the work
Imagine...
Offer Bounty
Click Reopen to open the application again. Click Report to see details or send a report. Click Offer Bounty to contribute to a bounty for fixing this bug.
Select an amount to offer as a bounty for fixing this bug.
Your bounty will be held in escrow until the bug is fixed or the time limit expires. The default time limit is 6 months.
Currently, 875 users have offered a total of $2298.45 for fixing this bug.You have been affected by this bug 7 times.
Max: $50Avg: $2.63$0.99 Other
Correctness Demand
Sum of rewards for a bug is the demand to fix it
Sum of all rewards is the correctness demand
When correctness demand = 0 either
software is bug free or…
no one cares about it anymore.
Correctness Potential
Set of possible workers
For each bug, each worker has a cost to fix it
If cost < reward, “worth fixing” for that worker
Potential of bug: profit by most efficient worker
Correctness Potential = the sum of bug potentials
Correctness Equilibrium
Market is in correctness equilibrium when correctness potential = 0
In “living” software that never happens:
new bugs are found
bug bids change
workers come and go
Goal: design a system that tends towards dynamic equilibrium
Is it a Bug or a Feature?Who Cares?!
How do we Design such a Market?
GUIDING PRINCIPLES:
Autonomy: all actions are market-driven
Inclusiveness: all contributors are rewarded
Transparency: “financial disclosure”
Reliability: robustness to manipulation
Apply both market pressure and software tools
What are the Components?
Funding
Workflow Process
Reputation System
Show me the Money! Cash or scrip or votes?
Sources of real cash:
direct user bids
escrow from sale (closed source)
escrow from contribution (shareware)
escrow from registration (open source)
Time limit on bids - money reverts to source
Time
Bids
- Pa
yout
sHigh Priority, Easy to FixHigh Priority, Hard to FixLow Priority, Easy to FixLow Priority, Hard to Fix
t0
Demand Trajectory
Workflow: Bug
Report
Bid
Categorize
Reproduce
Fix
Test
Commit
Distribute
Everyone S
hares Rew
ard
Humans vs T
ools?
Reputation System
Ratings based on past performance
Control certain activities (e.g. commits)
May also affect reward distribution
Adjusted with information about software lifetime
Can be seeded by central organization
useful when project is small
occasional escape hatch
It’s Started: App Store
TopCoder
Market-Based Software
• Only Possible Kind of Solution
• Empowers Users and Programmers
• Makes Problem Quantitative
Thanks.
Feedback?
Mechanism Design Problems
Avoiding Freeloading
Preventing Fraudulent “Fixed” Claims by Providers
Preventing Fraudulent “Not Fixed” Claims by Consumers
Lag in fix verification by Consumers
Lots of Uncertainty When are two crashes the “same bug”?
Line number? Data set?
When does a change “fix” a bug?
Partial fixes & incorrect fixes are not uncommon
One fix may improve or worsen another bug
If multiple fixes submitted, which is best?
Band-aids versus Deep fixes
Program analysis can help reduce uncertainty, but will never eliminate it
Next Steps
Simplified market mechanism design with analytical equilibrium property
Identify analysis and testing techniques that can be integrated into the system.
Prototype market infrastructure
Trial run (seed a market?)
TopCoder
Handles “supply side” -- developers
Highly differentiated stages of development
Short, manageable tasks
Competitive process
Validation:
automated testing
competitive forces: challenges
iTunes App Store
Micropayment system with broad acceptance
Primarily supply side
but often compete for users on similar apps
Monolithic -- but apps are fine-grained
Developers responsive to user feedback
Software Distribution Mechanism
Bug Auctions for Vulnerability Markets
Testers
Attackers
Users
Producer
R
PurchasePrice
Bug Auctions for Vulnerability Markets
(Ozment’s redefinition of Schechter)
Note: paying for bug reports (“user” activity)
Bounty R starts at R0 increasing by d/day
Open first-price ascending (reverse Dutch) auctionOpen auction speeds discovery
Non-security bugs receive fR, where f << 1
R acts as a “measure of security”
Bug Auctions for Vulnerability Markets
(Ozment’s Enhancements)
Testers
Attackers
Users
Trusted ThirdParty
Producer
RE=rt+vR0
PurchasePrice
Bug Auctions for Vulnerability Markets
(Ozment’s Enhancements) Set initial reward (first R) high
Include reputation reward
Commit/escrow minimum payout E=rt+vR0
Reduce R to Rx (x < 1) if exploit precedes fix
Don’t expose number of testers (unless small)
Give reward for registered testers
Use trusted third party to escrow reward fund
Vulnerability Markets(Kannan & Telang)
Testers
Attackers
Users
“Infomediary”(CERT)
Producer
pb
ps
leak
“Federal Funding”(Kannan & Telang)
Testers
Attackers
Users
“Infomediary”(CERT)
FederalGovernment
pb
ps
leak
A Comprehensive Market for Software Evolution
Formal Techniques Don’t Scale
Specifications and Proofs of Correctness
Limited to ~1000 line programs
Model Checking
Limited to problems with small state spaces
Big, real-world programs often have no precise “spec”
...or it’s too complex to verify or test exhaustively
Dijkstra Turing Award prediction failed to happen
Formal Techniques Won’t Ever Scale
But Why Differentiate?
Aside:Mechanism Design
What information is revealed has a big impact
COMPONENT DESCRIPTION BOUNTY HUNTERS USERS PER-USER
BOUNTYTOTAL
BOUNTY
Widget: Cocoa firefox hangs if cookie ask permission to set whilst save target as dialog is open (image) 3 1521 $2.27 $3457.98
Places Live bookmarks load way too aggressively (lock up/hang/freeze browser) 1 162 $9.12 $1477.44
XUL UI freezes if alert/dialog comes up while dragging (Modal dialog during drag causes hang) 0 3818 $0.34 $1298.12
BugBounty.Com
Top 3 Fatal BugsMozilla Firefox
Since Specs Are Fallible...
Forget formal specification
The spec is what the market says it ought to be
And While We’re At It…Broaden the Market
Documentation
“Help Desk” Support (0-line aka RTFM fixes)
Installation
Empowering the Tail:Consumer Bug Bounties
security bugs
reputation costto producer
repair costto producer=
Bug
Fix
Val
ue
Bugs sorted by Value by Consumers
bug value toconsumers
repair cost toprogrammer=
Select an amount to offer as a bounty for fixing this bug.Your bounty will be held in escrow until the bug is fixed or the time limit expires. The default time limit is 6 months.Currently, 875 users have offered a total of $2298.45 for fixing this bug.You have been affected by this bug 7 times.
Max: $50Avg: $2.63$0.99 Other
Software Improvement
Testers
Attackers
Users
Trusted ThirdParty
Producer
RE
PurchasePrice
Programmers
Bi
B
Complex StructureProblem only with Uncertainty(?)
Multiple Aggregated“Consumers”
Multiple Competing“Providers”
Social Utility Issues
Open source: avoid “crowding out” altruistic providers
Closed source: drive collaboration and profit-sharing
- Would companies allow their programmers to collect bounties?
Generalized Market
Testers
Attackers
Users
Trusted ThirdParty
Producer
RE
PurchasePrice
Programmers
Bi
B
Security bugs
Functional bugs
Non-fatal bugs
Feature requests
Generalized Application
How are these reported and aggregated??
Assume Away Uncertainty?
Design market assuming we can
precisely classify bugs
precisely identify fixes
Attack Uncertainty Separately
Program analysis
Program slicing
Statistical clustering techniques
User Observation
Change in bug frequency
Rating of Producers (for fixes) and Consumers (for acceptance tests)
“App Store” Model
N Consumers, but only 1 Producer